Intro to Cryptocurrencies & Review of Relevant Crypto Tyler Moore, CS 7403, University of Tulsa Slides adapted from Arvind Narayanan, Joseph Bonneau, Edward Felten, Andrew Miller, Princeton University 1
Overview Cryptographic Hash Functions Hash Pointers and Data Structures Digital Signatures Public Keys as Identities Simple Cryptocurrencies 2
Overview Cryptographic Hash Functions Hash Pointers and Data Structures Digital Signatures Public Keys as Identities Simple Cryptocurrencies 3
Hash function: takes any string as input fixed-size output (we’ll use 256 bits) efficiently computable Security properties: collision-free hiding puzzle-friendly 4
Hash property 1: Collision-free Nobody can find x and y such that x != y and H(x)=H(y) x y H(x) = H(y) 5
Collisions do exist... possible inputs possible outputs … but can anyone find them? 6
How to find a collision try randomly chosen inputs 99.8% chance that two of them will collide This works no matter what H is … … but it takes too long to matter 7
Is there a faster way to find collisions? For some possible H’s, yes. For others, we don’t know of one. No H has been proven collision-free. 8
Application: Hash as message digest If we know H(x) = H(y), it’s safe to assume that x = y. To recognize a file that we saw before, just remember its hash. Useful because the hash is small. 9
Hash property 2: Hiding We want something like this: Given H(x), it is infeasible to find x. H(“heads”) H(“tails”) easy to find x! 10
Hash property 2: Hiding Hiding property: If r is chosen from a probability distribution that has high min-entropy, then given H(r | x), it is infeasible to find x. High min-entropy means that the distribution is “very spread out”, so that no particular value is chosen with more than negligible probability. 11
Application: Commitment Want to “seal a value in an envelope”, and “open the envelope” later. Commit to a value, reveal it later. 12
Commitment API (com, key) := commit(msg) match := verify(com, key, msg) To seal msg in envelope: (com, key) := commit(msg) -- then publish com To open envelope: publish key, msg anyone can use verify() to check validity 13
Commitment API (com, key) := commit(msg) match := verify(com, key, msg) Security properties: Hiding: Given com, infeasible to find msg. Binding: Infeasible to find msg != msg’ such that verify(commit(msg), msg’) == true 14
Commitment API commit(msg) := ( H(key | msg), H(key) ) where key is a random 256-bit value verify(com, key, msg) := ( H(key | msg) == com ) Security properties: Hiding: Given H(key | msg), infeasible to find msg. Binding: Infeasible to find msg != msg’ such that H(key | msg) == H(key | msg’) 15
Hash property 3: Puzzle-friendly Puzzle-friendly: For every possible output value y, if k is chosen from a distribution with high min-entropy, then it is infeasible to find x such that H(k | x) = y. 16
Application: Search puzzle Given a “puzzle ID” id (from high min-entropy distrib.), and a target set Y: Try to find a “solution” x such that H(id | x) ∈ Y. Puzzle-friendly property implies that no solving strategy is much better than trying random values of x. 17
Overview Cryptographic Hash Functions Hash Pointers and Data Structures Digital Signatures Public Keys as Identities Simple Cryptocurrencies 18
hash pointer is: * pointer to where some info is stored, and * (cryptographic) hash of the info if we have a hash pointer, we can * ask to get the info back, and * verify that it hasn’t changed 19
(data) H( ) will draw hash pointers like this 20
key idea: build data structures with hash pointers 21
linked list with hash pointers = “block chain” data prev: H( ) data prev: H( ) data prev: H( ) H( ) use case: tamper-evident log 22
detecting tampering data prev: H( ) data prev: H( ) data prev: H( ) H( ) use case: tamper-evident log 23
binary tree with hash pointers = “Merkle tree” H( ) (data) 24
proving membership in a Merkle tree H( ) (data) show O(log n) items 25
Advantages of Merkle trees Tree holds many items but just need to remember the root hash Can verify membership in O(log n) time/space Variant: sorted Merkle tree can verify non-membership in O(log n) (show items before, after the missing one) 26
More generally... can use hash pointers in any pointer-based data structure that has no cycles 27
Overview Cryptographic Hash Functions Hash Pointers and Data Structures Digital Signatures Public Keys as Identities Simple Cryptocurrencies 28
What we want from signatures Only you can sign, but anyone can verify Signature is tied to a particular document can’t be cut-and-pasted to another doc 29
API for digital signatures (sk, pk) := generateKeys(keysize) sk: secret signing key pk: public verification key sig := sign(sk, message) isValid := verify(pk, message, sig) 30
Requirements for signatures “valid signatures verify” verify(pk, message, sign(sk, message)) == true “can’t forge signatures” adversary who: knows pk gets to see signatures on messages of his choice can’t produce a verifiable signature on another message 31
Note: Bitcoin uses ECDSA standard Elliptic Curve Digital Signature Algorithm relies on hairy math will skip the details here --- look it up if you care good randomness is essential foul this up in generateKeys() or sign() ? probably leaked your private key 32
Overview Cryptographic Hash Functions Hash Pointers and Data Structures Digital Signatures Public Keys as Identities Simple Cryptocurrencies 33
Useful trick: public key == an identity if you see sig such that verify(pk, msg, sig)==true, think of it as pk says, “[msg]”. to “speak for” pk, you must know matching secret key sk 34
How to make a new identity create a new, random key-pair (sk, pk) pk is the public “name” you can use [usually better to use Hash(pk)] sk lets you “speak for” the identity you control the identity, because only you know sk if pk “looks random”, nobody needs to know who you are 35
Decentralized identity management anybody can make a new identity at any time make as many as you want! no central point of coordination These identities are called “addresses” in Bitcoin. 36
Privacy Addresses not directly connected to real-world identity. But observer can link together an address’s activity over time, make inferences. 37
Overview Cryptographic Hash Functions Hash Pointers and Data Structures Digital Signatures Public Keys as Identities Simple Cryptocurrencies 38
GoofyCoin 39
Goofy can create new coins CreateCoin [uniqueCoinID] signed by sk Goofy New coins belong to me. 40
A coin’s owner can spend it. CreateCoin [uniqueCoinID] signed by sk Goofy Pay to pk Alice : H( ) signed by sk Goofy Alice owns it now. 41
The recipient can pass on the coin again. CreateCoin [uniqueCoinID] signed by sk Goofy Pay to pk Alice : H( ) signed by sk Goofy Pay to pk Bob : H( ) signed by sk Alice Bob owns it now. 42
CreateCoin [uniqueCoinID] signed by sk Goofy Pay to pk Alice : H( ) signed by sk Goofy Pay to pk Bob : H( ) signed by sk Alice Pay to pk Chuck : H( ) signed by sk Alice double-spending attack 43
double-spending attack one of the main design challenges in digital currencies 44
ScroogeCoin 45
trans prev: H( ) trans prev: H( ) trans prev: H( ) H( ) transID: 73 transID: 72transID: 71 Scrooge publishes a history of all transactions (a block chain, signed by Scrooge) optimization: put multiple transactions in the same block 46
transID: 73 type:CreateCoins CreateCoins transaction creates new coins coins created num valuerecipient 03.20x x x... coinID 73(0) coinID 73(1) coinID 73(2) Valid, because I said so. 47
transID: 73 type:PayCoins PayCoins transaction consumes (and destroys) some coins, and creates new coins of the same total value coins created num valuerecipient 03.20x x x... consumed coinIDs: 68(1), 42(0), 72(3) signatures Valid if: -- consumed coins valid, -- not already consumed, -- total value out = total value in, and -- signed by owners of all consumed coins 48
Immutable coins Coins can’t be transferred, subdivided, or combined. But: you can get the same effect by using transactions to subdivide: create new trans consume your coin pay out two new coins to yourself 49
Don’t worry, I’m honest. Crucial question: Can we descroogify the currency, and operate without any central, trusted party? 50